The Misconceptions of GeoIP Banning

1. Blocking a country does not block that country’s attackers.

The primary idea behind a GeoIP Banning feature is that it protects your site against attackers. The theory is that some countries have more hackers than other countries, so blocking those countries will significantly reduce the potential of a successful attack against the site. The biggest flaw with this idea is that hackers are not limited to using IPs from just their country; they have IP addresses around the globe to use for their attacks. In other words, even if an attacker lives in a certain country, most of their requests are likely to come from outside that country.

The reason that this is the case is that only the unskilled hackers use their own connections to launch attacks. Hackers with low budgets use anonymizer and free proxy services to launch their attacks. Such services are hosted all over the world and can be cherry picked to launch attacks from specific regions of the planet. Hackers with medium budgets can afford a variety of private VPN services, private proxies, and hosting with providers that are friendly to hackers. Successful hackers typically have hundreds of thousands to millions of hacked systems (referred to as a botnet) spread around the globe to use for their attacks.

2. Nearly half of the IPs are in the United States.

While it is true that blocking the majority of the world’s countries from logging into your site could potentially block a significant percentage of login attempts, it simply will not block enough to make it viable. To give some numbers, according to MaxMind, the go to source for GeoIP databases, they are tracking 3,615,573,718 IP addresses by country, 44% of which are associated with the United States. Assuming that we made this feature, if you allowed logins from the United States, you would instantly allow logins from just shy of half of all the possible IP addresses being tracked by country, including some of the most commonly used proxies and botnet addresses.

Warning: I’m about to get fairly technical, and there will be math ahead!

Let’s create a best case scenario for GeoIP blocking. At its absolute best it can block a percentage of attacks. If you allow IPs only from within the United States, that percentage is likely no more than 56%. Thus in an absolute best case scenario, where an attacker and their system are not smart enough to actually figure out that they need to use US based IPs (which is unlikely, but let’s give it the benefit of the doubt here), it will take them a little over twice as long to break your password with brute force as it would without the banning.

Let’s compare that to lengthening your password. If your password is made of upper and lower case letters, numbers, and symbols, you have approximately 88 characters to choose from. Thus, extending your password by a single character will multiply the number of attempts needed to brute force it by 88. That’s right, adding a single character to your password is likely 44 times more effective at stopping a classic brute force attack than blocking all non-US IPs. Adding two characters to your password will require 7,744 times more attempts (88 × 88). This is roughly 3,872 times better than the best case scenario for Geo IP Banning, and again it only requires that you lengthen your password by two characters!

4. Limiting access by states or cities is not a viable option.

Some may wonder then, if focusing on areas smaller than a country would be the solution. For example, rather than allowing all of the United States to log in, what if login access was limited to just a single state or city?

The problem with this approach is that accuracy drops significantly when focusing on smaller areas. Based upon MaxMind’s own stats, country accuracy is 99.8%, state accuracy is 90%, and city accuracy is 81%. Accuracy rates of 81-90% are not good enough to build a feature like this. Imagine if one in every five to ten times you tried to log into your site you were blocked because your IP address wasn’t reporting accurately. However, even these accuracy rates are optimistic as the listed 81% city accuracy is only for the United States cities within 50km of the true location. By looking at the city database accuracy page, it can be seen that stats for exact city matching in the United States is just 53% with some countries having much lower accuracy, such as Australia which has an accuracy of just 15%.

When considering that more and more people access their sites from mobile devices, things get worse. Accuracy rates for mobile devices are not listed, they are simply noted as being “lower” (see footnote #1).

Being locked out of your site because of an inaccuracy in the GeoIP database, because you went out of town without updating your site’s settings first, because your connection keeps getting misidentified as another nearby city, or because you are on a mobile connection would make for a very poor feature.

5. Adding GeoIP Banning code would increase server load.

A GeoIP Banning feature comes with a cost. This isn’t a monetary cost; rather, it’s a server load cost.

Every additional bit of code that has to run in order to create a page will increase the CPU load on the server. If you have a strong password and two factor authentication, you still have to fear a brute force attack. The fear isn’t that the attack will result in a compromised account; rather, it’s that the increased load on the server could compromise the stability of the site. And if the load on the server goes too high, the site will start to slow down for visitors. Depending on the hosting plan and server configuration, such load increase could also cause the site to break on some visits and could cause problems with your hosting provider. While the increase from this feature would be relatively small, it is still an increase which could make a very big difference to a site experiencing a brute force attack.